System Integrity Protection (SIP)

Keyboard Shortcuts

Learn about the new System Integrity Protection (SIP) tool in OS X El Capitan. Understand how SIP works and how to enable and disable SIP. Learn how SIP protects organizations and their users. Find out how to administer SIP and understand which directories permissions are changed by SIP. Learn how to work around and with System Integrity Protection and list all of the directories affected.

- Don't just disable System Integrity Protection.Learn how you're going to use it from now on,and what the misnomer "rootless" meansto MAC system administrationwith System Integrity Protection.Let's start by talking aboutwhat System Integrity Protection is.Apple decided that,in the state that most Macintosh systems exist in the world,with one admin user accountand used by a user who may not understandthe security implications of entering their admin passwordinto a presented authentication dialog,it's much safer if they remove the abilityfor that admin user to enter into a root sessionthat could potentially overwrite sensitive informationwithin the operating system.

This is sometimes called a rootless systembut that's not really trueas the root user and the ability to enter a sudo sessionstill exist.Instead, SIP simply protects system files from being changedby anyone but Apple.To see the list of directoriesprotected by System Integrity Protectionyou can type the following into Terminal.To do this we're going to need to go to the Go menu,pull out the Utilities,open Terminal,and we're going to make it a little bit biggerso you can see what we're doing here,and we're going to type the following:we're going to CD and to SystemLibrarySandboxCompatibility.bundleContentsResourcesThat puts us into a directorywhere if we type "ls" to list the contentswe see something called paths.

All we need to do in order to previewwhat's in the paths directoryis type the less command against pathshit return, and then we can see all of the different pathsthat are protected by System Integrity Protection.I'm just hitting the space bar to space through this list.Hit q to get out of that listwhen you're finished reviewing it.If you wanted to save that, for later review,you would type "less paths"space, and then ">"space, and then a path where you want to save this.

I'm going to put it on this user's desktop folderby typing "~/Desktop"and then "/"I'm going to just type this out as "paths.txt"This is going to create a text documentwith the contents that were spit out over the less commandwhenever it read the paths file.I do that, and boom, you see it just pop right thereup on the Desktop.And if I click look that fileit's got the contents that we were reviewing before,except that now I can just leave it here on my Desktopand review it whenever I wishand I haven't damaged anything.

It's worth noting that if you turn offSystem Integrity Protectionthat list goes away.So, you would want to do this before disabling SIPif that were what you're going to do.If you perform an upgrade from a previous version of OS Xwhat you'll see is that the OSwill quarantine files that were placed in protected pathwaysvia installations performed on the previous OS.Any old applications that put thingsinto folders or pathways that are protectedunder El Capitan's System Integrity Protectionthose pathways are going to be quarantined.

And the quarantined file paths are going to be moved into/Librarywe'll CD into this/LibrarySystem Migrationand if you type "SystemMig" and you hit tab and it doesn't goit means that you did not upgrade from a previous versionand so this pathway does not exist.But the rest of the pathway is/Libraryand I'll type it for you here, so you can see it:/SystemMigration/History/Migrationand then this will be followed by a <UUID>it would be a long, long, long numberand then there would be a folder calledQuarantineRootAll right?And so, all of that will be quarantinedwithin this directory for you.

I'm going to quit Terminal.Now, another feature ofthe System Integrity Protection systemis that it protects kernel extensionsfrom running errant code.So, a kernel extension, or the residuous kexts,they're bundles that extend the kernel, okay?And with System Integrity Protectionkernel extensions have to be signedby a Developer ID certificateand installed into Library/ExtensionsThey can't install into System Library Extensionsbecause that's a protected area.

When a process has started, the kernelchecks to see whether the main executableis protected on diskor is signed with a special system entitlement.If either is true, then a flag is set to denotethat it's a protected resource,and it's protected against modification.Any attempts to attach to a protected processis denied by the kernel.So, this feature not only protects the systemby making certain directories unwritable,it also provides real time validation of codebeing launched by the system kernelto extend its functionalityto be sure the extension is trusted.

System Integrity Protection configuration is stored in NVRAMrather than in the file systemthat you're working in here.So, as a result, the configuration appliesto every installation of OS Xacross all volumes on the entire computer.This includes externally attached bootable volumesand it persists across all OS X installationsthat support System Integrity Protection.Which, of course, currently only includes El Capitan.This, obviously, even though it's installed in NVRAM,wouldn't affect Yosemitebecause Yosemite doesn't know anythingabout System Integrity Protection.

System Integrity Protection can be enabled or disabledusing the csrutil commandonly while booted from the recovery partitionfrom the included terminal application.You can checkwhether System Integrity Protection is turned onon your system by running the following command in Terminalwhile booted normally.So, again, we're going to go into Terminal,and we're going to type "csrutil status"and hit returnand it tells usthat System Integrity Protection status is disabled.

So we're going to have to bootinto the recovery HD partitionin order to enable System Integrity Protection again.This has been disabledbecause we've been going back and forthand playing with this here on the recording system.We're going to show you what it meansto go in and to do this at the command line in Terminalin the recovery partition.So, we're going to do that process now.To begin, we restart the computerand we hold down the command R keys on the keyboard.

When you boot into the recovery partitionyou're presented with an OS X Utilities windowand, under the Utilities menuyou go up here and you pull down to Terminal.When you open Terminalyou can do the same thing that you can do on a standard Macwhich is, increase the size,but notice that the command prompt has changedI'm no longer in my regular user account,I'm instead in here, as root, essentially, hereand in the recovery partition.

All right, so when we were in the previous screenwhen we were in Terminal on our Macand booted normallywe noted that the System Integrity Protectionhad been disabled,so, in order to enable itwe simply type "csrutil enable"and hit return.Successfully enabled System Integrity Protection.Please restart the machinefor the changes to take effect.We type "exit", we quit, we go up here, we hit Restart,and upon Restart, we will have ourselves a fully protectedSystem Integrity Protection protected system.

If we wanted to change that to disabledwe would do exactly the same thing again.So, here we are back on our system.If we go to the Go menu, pull down the Utilities,and we open up Terminaland we open it.If we just go and run the exact same command we did before,"csrutil status" we can now seethat System Integrity Protection status is enabled.Which is exactly what we would want.So, that is what you need to doin order to administer the csrutilvia the command line in the recovery partitionin order to enable System Integrity Protectionor disable it.

Remember, the same thing happensif you just type "csrutil disable"while booted from recovery, that same thing will work.Another thing that I should point out here isthat if you disable SIPto accomplish some administrative tasksor enable some application or kernel extensionthat you trustbut which has not been rewritten yet to support SIPbe sure to boot back into recoveryand reenable it after your configuration work is completeand the system is ready to be used again.System Integrity Protection is the most dramatic improvementto basic system security in OS X since its original release.

And now, you have a much better understandingof how to interact with it as an IT administratorin El Capitan.

Resume Transcript Auto-Scroll

Author

Released

1/15/2016

Sean Colins takes a look at Mac's latest operating system—El Capitan—focusing on the key topics IT administrators need to know to perform their job. Sean dives into assessing and planning the migration to El Capitan, and then provides the steps necessary to install and configure the OS. He show users how to back up and migrate data, as well as what's needed to manage applications effectively. The course also covers system monitoring, adding peripherals, networking, and Active Directory integration. Finally, Sean shows viewers how to troubleshoot common problems and collect system information and other documentation.